In an era when more and more intruders are coming after corporate data for profit, not just for fun, a layered approach to security is more important than ever. The approach must be built on sound policies that are effectively communicated throughout the organization and backed up with spending on the right controls, but not too much spending in any one area.
In a nutshell, that's the philosophy that Intel's internal IT group follows to protect the company's own considerable corporate assets, according to Michael Sparks, senior security specialist with Intel's Technology Information Risk & Security group.
In his talk at the recent Network World IT Roadmap Conference & Expo in Santa Clara, and in a follow-up interview, Sparks warned that we are now facing third-generation cyber attacks. Whereas first-generation attacks were launched mainly by those looking for some measure of notoriety, the motive shifted in the mid-1990s with second-generation attacks that sought to bring down corporate computers. Today, the motive is financial gain and the target is data, whether personal data such as credit card numbers or corporate intellectual property, either of which can be sold for profit.
"If people are getting paid for it, they're going to go where the money is," Sparks says.
In his talk, Sparks described the current security climate as a "perfect storm," in which threats -- meaning people -- continually try to exploit known vulnerabilities in computer systems. This combination represents a risk to business assets, including confidentiality and integrity of data, and loss of the data itself. So the business must implement some form of control to protect itself, such as antivirus software, an intrusion-detection system or encryption. No sooner is one control implemented than a new vulnerability crops up, starting the cycle all over.
The regulatory climate adds to business risk, because public companies such as Intel must comply with the Sarbanes-Oxley Act as well as California's database breach disclosure law. Such regulations can pull security budget dollars away from areas that the company may want to protect by forcing them to instead spend money on areas they are legally bound to protect, Sparks says.
What results is a balancing act, in which the company must weigh its need to provide authorized access to data on one side vs. the need to protect its assets on the other. "What you really want to do is research your requirements, your needs and what you're trying to protect and put the greatest effort into that," Sparks says. Companies must be mindful, however, that if they err too far on the side of caution, they may limit the usefulness of their most important asset: their data. If employees who need data can't get at it, the data does the organization no good.
With its huge constituency of users to think about, as well as significant legal requirements to meet, Intel tends to fall just to the conservative side of the equation, Sparks says. The idea is to keep information assets reasonably protected, and to keep legal, but still allow information to be available to those who need it.